Introducing 306 Million Freely Downloadable Pwned Passwords

Megalith

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
Microsoft Regional Director and MVP Troy Hunt has introduced a website that allows you to check whether your passwords have ever been compromised. A 5.3 GB 7-Zip file of the passwords represented as a SHA1 hash is also available for download.

...don't enter a password you currently use into any third-party service like this! I don't explicitly log them, and I'm a trustworthy guy, but yeah, don't. The point of the web-based service is so that people who have been guilty of using sloppy passwords have a means of independent verification that it's not one they should no longer be using. Mind you, someone could actually have an exceptionally good password, but if the website stored it in plain text then leaked it, that password has still been "burned."
 
Last edited:
i bet they store passwords people are typing to check and than being able to try using those passwords.
 
I bet a good 50% of them are variations on the word password...
 
I've used this site for a few years now. This guy is pretty good, I watched a few of his ethical hacking videos on plurasite. His site doesn't show you anything as far as data is concerned it just lets you know if you were "pwned" and by what data breach type and from what company where your username and pass were stolen from.
 
Beautiful. He even includes a download. I will merge those with my current 50GB Dictionary file. There might be a couple hundred thousand to add to the list that I don't already have.
 
Yeah, even if he is trustworthy, I'm not going to enter my PW.

Password leaks are why I use a yearly changing algorithm to develop my passwords. The cypher is easy to memorize but hard to figure out unless you're in my brain. Allows me to have 128+bit 256charset (that's character set, not length) passwords that I can remember.
 
Oh man, my default password for everything has been pwned :(

Guess I'll need to change it from !QAZ@WSX#EDC$RFV to something else.
 
What pisses me off is that many sites do not allow using scandinavian special characters in the passwords - those are always a good addition since most attackers do not use them.

I mean, what's the point of setting up a password and then not allowing to use characters that would you know, make it safe lol.
 
B00nie said:
Definition of naive: A person who enters his password to a site that promises to check if the persons password has been exposed.
Click to expand...

Spidey329 said:
Yeah, even if he is trustworthy, I'm not going to enter my PW.

Password leaks are why I use a yearly changing algorithm to develop my passwords. The cypher is easy to memorize but hard to figure out unless you're in my brain. Allows me to have 128+bit 256charset (that's character set, not length) passwords that I can remember.
Click to expand...

Troy Hunt even says not to use it for checking your current passwords. More for showing people "do you really want to use that password you planned on using?" to show them how weak passwords have already been breached.

He didn't even want to make this website really, but ended up doing it anyway.
 
password_strength.png
 
Uvaman2 said:
Any real way to implement this? I mean shit, the standard is simple enough to define '4 words' '5 words' a 'single sentence, no spaces' whatever
Click to expand...
Get a list of 2000 common english words that aren't too short, get a random number generator, randomly select 5 words.
 
they'll never guess my password.

it's the price of a cheese pizza and large soda at Panucci's Pizza.
 
- Is my password compromised?
- Now it is.
 
[21CW]killerofall said:
password_strength.png
Click to expand...

I've been trying to adopt this method for years, I always forget the password. Or passphrase in this case. As it turns out remembering random unconnected common words is not as easy as it's made out to be. I always end up having to reset my password on sites where I tried this.

It's easier for me to remember a collection of random letters and numbers. As long as it's no longer than 8-10 chars.

Most important places don't allow more than a few tries a minute anyway.
 
You must log in or register to reply here.
Back
Top